Signatures

Nocturne uses a variant of Schnorr signatures over Baby Jubjub. The secret key is derived from the spending key $sk$, and the public key is the spending public key $\text{PK}$.

Spelled out, signing takes as input a message hash $m$ and proceeds as follows:

1. $h \leftarrow \text{SHA512}(sk)$

2. $s \leftarrow h[0:32]$(derive the signing secret key from the spending key)

3. $x \leftarrow h[32:64]$(extract 32 bytes of entropy from the spending key)

4. $v \leftarrow \text{randomBytes}(32)$ (sample another 32 random bytes)

5. $n \leftarrow \text{SHA512}(x\ ||\ v\ ||\ m) \mod r \in \mathbb{F_r}$ ("reduce" hash output into $\mathbb{F}_r$, using extra entropy from $sk$ addition to the rng)

6. $R \leftarrow n \times G$ (the rest is a "standard" Schnorr signature)

7. $c \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)$

8. $z \leftarrow n - \text{sk} \cdot c$

9. The signature is the pair $(c, z)$

To verify, we take as input the message $m$ and signature $(c, z)$ and do the following (this is the standard verification procedure):

1. $Z \leftarrow z \times G$

2. $P \leftarrow c \times \text{PK}$

3. $R \leftarrow Z + P$

4. $cp \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)$

5. Accept the signature if $cp = c$. Reject it otherwise.

Security Requirements

The signature scheme must be strongly unforgeable under chosen-message-attack (SUF-CMA).

Security Argument

Schnorr signature schemes are known to be secure under the discrete log assumption and the random-oracle model. In our case, it's secure based on the following assumptions:

1. Poseidon is a random oracle

2. The discrete log problem is infeasible in Baby Jubjub